ADM 325 – Information Security Policy

Title: McPherson College – Information Security Policy
Effective Date: June 30, 2016
Issuing Authority:  Office of the Vice President for Finance and Information and Instructional Technologies
Program Coordinators:  Vice President for Finance and Director of Information and Instructional Technologies
Last Updated: August 4, 2016

 

Purpose of Policy

Information and information systems are critical college resources and assets.  McPherson College has adopted these information and computing policy statements to safeguard the college’s investments and to comply with various regulatory agencies.

Policy

The protected data and information maintained by the college must be handled and managed in accordance to state or federal mandates.   All employees are expected to know and adhere to this policy and related policies referenced within this policy.  Violations of these policies can lead to revocation of system privileges and/or disciplinary action including termination of employment.

The use of any McPherson College data and information, in any format, for anything beyond the operation of the college is strictly forbidden.  Unacceptable uses includes sharing the data with groups, organizations, or activities that are not college-sponsored or college-approved, use of data for personal gain, use of data to satisfy personal curiosity, removing data or reports from the campus except in the required performance of college duties, or use by individuals outside of their normal job responsibilities.

Procedures

McPherson College uses access controls and other security measures to protect the confidentiality, integrity, and availability of the college’s data and information.  Data and information can be stored and transmitted in a variety of ways, including but not limited to computer files stored on desktop computers, CD’s, servers, portable electronic storage devices, paper files, audio or video files, telephone calls, and verbal communications.  The College is the owner of all administrative data although the individual units or departments may have stewardship responsibilities for portions of that data.

Electronic protected or confidential data must follow Securing College Data.  Whenever possible, paper files should never contain protected or confidential data such as social security numbers.  When it is absolutely necessary, the paper files must be attended or kept in a secured, locked area.   Protected or confidential data should not be taken off campus, but if necessary, it should be never be left unattended.  If absolutely necessary to leave in a vehicle, it must be locked in the trunk.

Any individual using protected or confidential data of McPherson College must follow the policies that provide detailed guidance for the security of that specific type of data.

Notifications for Breach of Security:

The Policy defines “personal information” as:
“an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements is not encrypted:

  1. Social Security number;
  2. driver’s license number or student identification card number; or
  3. account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”

If you believe personal information or any other type of protected or confidential data may have been breached at McPherson, the following incident response steps should immediately be taken:

  1. The individual who discovers the breach should immediately notify Financial Services.
  2. Financial Services will contact the Vice President for Finance and if electronic information or devices are involved, the Director of Computer Services will also be notified.
  3. The Controller, Vice President for Finance and Director of IIT will determine if a breach of security of data has occurred, and the appropriate action to take.

The Controller, Vice President for Finance, Director of Computer Services, and Director of Marketing and Communications may utilize guidance for dealing with a data breach and sample notification letter formats that can be found on the Federal Trade Commission website.

Types of Protected or Confidential Data:

McPherson College classifies data into three categories:

Protected:

This data is protected under state and federal regulations such as FERPA, HIPPA, Graham-Leach-Bliley, and others.  Data elements in this group include, but are not limited to, social security numbers, student ID numbers, credit card numbers, medical information, bank account numbers, grades, date and/or location of birth, drivers license information, ACH (automated clearing house) numbers, tax return information, credit rating, income history, loan payment history, passport information, coursework, etc.

Confidential:

This data is not protected under state and federal regulations but the college has determined that this information should be held private.  This data may include promotion materials, salary, employee ID numbers, review files, etc.

General College Data:

This data pertains to the operation of the college and use is not restricted.

Protected or Confidential Data includes, but is not limited to:

Protected Data

Confidential Data

FERPA GLBA HIPAA PCI DSS FACTA COLLEGE
Social Security Numbers X X X
Student ID Numbers X
Grades X
Courses Taken X
Class Schedule X
Test Scores X
Advising Records X
Educational Services Received X
Student Disciplinary Actions X
Bank Account Numbers X X
Credit Card Numbers X X X
Date and /or Location of Birth X X
Account Balances (Loans, Student/Bank Account) X X
Loan Payment Histories X X
Credit Ratings X X
Income History X X
Driver’s License Information X X
ACH (Automated Clearing House) Numbers X X
Tax Return Information X X
Passport X X
Real Estate Values X X
Health Plan Premiums X
Health Plan Eligibility X
Health Plan Claims Benefits X
Health Plan Enrollment/Dis-enrollment X
Health Plan Payments/Remittance X
Health Plan Claims and Status X
Individually Identifiable Health Information X
Health Referral Certification and Authorization X
First Report of Injury X
Salary and Benefits X
Promotion and Review Materials X
Employee ID Numbers X

 

McPherson College Policies for Protected or Confidential Data:

Securing College Data
Office Responsible:  Information and Instructional Technologies
Program Coordinator:  Andy Ullom
Summary:  McPherson guidance for protecting electronic information

Gramm-Leach-Bliley Act (GLBA)
Office Responsible:  Vice President for Finance
Program Coordinator:  Rick Tuxhorn, CPA, CGMA
Summary:   To protect consumer information from threats in security and data integrity.

Family Educational Rights and Privacy Act (FERPA)
Office Responsible:  Registrar’s Office
Program Coordinator:  Trisha Hartshorn
Summary:  Educational Institutions must grant and protect certain rights relating to educational records.

Health Insurance Portability and Accountability Act (HIPAA)
Office Responsible:   Human Resources Office
Program Coordinator:  Brenda Stocklin-Smith
Summary:  To protect the privacy of personal health information

Payment Card Industry Data Security Standards (PCI DSS)
Office Responsible:   Vice President for Finance and Information and Instructional Technologies Director
Program Coordinator:  Rick Tuxhorn, CPA, CGMA and Andy Ullom
Summary:  Anyone who processes credit card payments must follow laws set by credit card companies. This policy is in process.

Fair and Accurate Credit Transactions Act (FACTA)/Red Flag Rules
Office Responsible:   Vice President for Finance
Program Coordinator: Rick Tuxhorn, CPA, CGMA
Summary:  We must be able to detect red flags for identity theft in instances where we issue credit.

Copyright Laws
Office Responsible:  Vice President for Academic Affairs
Program Coordinator:  Bruce Clary
Summary:   All employees of the College are expected to follow laws that protect copyrights.